Two-factor and Multi-factor authentication

Two-factor and Multi-factor authenticationTwo-factor and Multi-factor authenticationTwo-factor authentication (2FA) and multi-factor authentication (MFA) both add additional layers of security to your account. Your "P@ssw0rd1234" password isn't as clever as you think it is. If an attacker figures our your password and you don't have 2FA enabled, your account is now their account. 2FA combines something you know (your password) with something you have (ideally a second device). Of course, you've already configured KeePass so you don't even remember your account password, right? Right?Of course, there are several types available, and I'm going to go through them from the least secure to the most secure.

SMS 2FA: That's the text message you get with a 6 digit code you have to enter within a certain timeframe. The problem with this is that, if your phone number is known to a good attacker, you could fall victim to what's called a "SIM-swapping attack" and your 2FA method is compromised. I only recommend this method if you have something like a Google Voice number that's behind even stronger 2FA.

"Verify from Another Device." This one's predicated on if you're already logged into your account from another device. Facebook likes using this method as the default 2FA (to keep you locked into their toxic ecosystem), and Apple also does this when you're logging into your account (ideally sending the code to your iPhone or iPad). This may be slightly more secure then SMS 2FA, but I still don't recommend it.

Code via email. This one works almost like SMS 2FA except it's sent to your email. I only recommend this method if your email is secured behind either FIDO2 or TOTP (see below).

Timed one-time passwords (TOTP). Now we're getting into the two methods I recommend. When your account says to set up "Google Authenticator," that's just one app you can use. Any app or hardware device that saves TOTP codes can do this. It will tell you to either scan a QR code or it will optionally say to manually input a string of seemingly-incomprehensible characters. Those characters are what's known as a "seed." You'll want to copy that down somewhere, ideally in a KeePass database separate from your passwords (you do not know how many times I've had to recover TOTP seeds this way). Just a word of warning, your TOTP seeds can be phished. If someone's asking for them, don't give it out. For apps, this is going to be mobile-only recommendations. For Android, I recommend Aegis Authenticator (a second one, AndOTP, is no longer maintained). For iOS, I recommend 2FAS. These two apps will secure your TOTP codes behind a separate lock screen.

FIDO2 USB authenticator token (key). The most secure out of the four. What this is is something that looks like a USB stick with either a button or a gold plate attached to it. You plug it into the computer when prompted at setup, you press a button or tap the gold plate, and you're set up. Whenever you visit that website, you'll be prompted to plug in the key, press the button or tap the gold plate, and you're logged in. If you're on a different site, the key won't recognize it and the challenge will be refused. The two drawbacks to this method are that the keys can be lost and, like other USB drives, it can wear out over time. If you do end up losing a key, make sure you remove it from all accounts you have it set up on or someone else might be able to get into your accounts. The keys I recommend buying are Yubikey (not open source, but still the industry standard and has AWESOME support on both Windows and Linux), NitroKey, and SoloKey (the last two are open source).

I personally set up both FIDO2 and TOTP whenever I can. That way if the FIDO2 keys somehow get corrupted, I have the TOTP method to fall back on. It might seem like a pain in the ass, but it's an even bigger pain in the ass to try to recover your account from a hacker so a few seconds of inconvenience is worth the peace of mind.Back